Cyber Incident Victim: Russian Ministry of Internal Affairs

In mid-September 2021, Russian organizations including the Ministry of the Interior were targeted in a suspected cyber-espionage operation exploiting the CVE-2021-40444 vulnerability in Microsoft Office. Attackers deployed spear-phishing emails containing malicious Office documents disguised as official communications. One document type masqueraded as fines for "illegal activity" purportedly issued by Russia's Ministry of the Interior, while another posed as an HR department form targeting JSC GREC Makeyev, a ballistic missile fuel developer. The attack required recipients to enable editing in the document, triggering the exploit. This vulnerability in the MSHTML component allowed attackers to load a malicious ActiveX control, executing arbitrary code to install additional malware. Security firm Malwarebytes first identified the attacks but could not confirm specific targets for the Ministry of the Interior-themed documents. The final payload used Themida packing and anti-analysis techniques to evade detection.

Microsoft had patched CVE-2021-40444 on September 14, 2021, during its monthly Patch Tuesday update, two days before Malwarebytes publicized these attacks. The exploitation campaign also affected Russian telecommunications companies, and security researchers observed early experimentation with the exploit by an individual linked to the Ryuk/Conti ransomware operation. Malwarebytes noted the rarity of attacks against Russian entities and suggested potential state sponsorship given the high-value defense sector target. No attribution was confirmed during initial investigations, though historical precedent existed for foreign cyber-espionage against Russian government agencies, including FSB-reported breaches by suspected Chinese groups earlier in 2021. The incident highlighted continued exploitation of unpatched Office vulnerabilities for initial network access across multiple threat actor profiles.